Commit Graph

496470 Commits

Author SHA1 Message Date
Irina Tirdea
d37f6836fa iio: core: Introduce IIO_CHAN_INFO_CALIBWEIGHT
Some devices need the weight of the user to compute other
parameters. One of this devices is Freescale's MMA9553L
(http://www.freescale.com/files/sensors/doc/ref_manual/MMA9553LSWRM.pdf)
that needs the weight of the user to compute the number of calories burnt.

Signed-off-by: Irina Tirdea <irina.tirdea@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2015-01-27 18:49:54 +00:00
Irina Tirdea
5a1a932981 iio: core: Introduce IIO_VELOCITY and IIO_MOD_ROOT_SUM_SQUARED_X_Y_Z
Some devices export the current speed value of the user.

One of this devices is Freescale's MMA9553L
(http://www.freescale.com/files/sensors/doc/ref_manual/MMA9553LSWRM.pdf)
that computes the speed of the user based on the number of steps and
stride length.

Introduce a new channel type VELOCITY and a modifier for the magniture or
norm of the velocity vector, IIO_MOD_ROOT_SUM_SQUARED_X_Y_Z.

Signed-off-by: Irina Tirdea <irina.tirdea@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2015-01-27 18:49:54 +00:00
Irina Tirdea
cc3c9eecae iio: core: Introduce DISTANCE channel type
Some devices export an estimation of the distance the user has covered
since the last reset.

One of this devices is Freescale's MMA9553L
(http://www.freescale.com/files/sensors/doc/ref_manual/MMA9553LSWRM.pdf)
that computes the distance based on the stride length and step rate.

Introduce a new channel type DISTANCE to export these values.

Signed-off-by: Irina Tirdea <irina.tirdea@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2015-01-27 18:49:53 +00:00
Irina Tirdea
72c6664467 iio: core: Introduce ENERGY channel type
Human activity sensors report the energy burnt by the user.
One of this devices is Freescale's MMA9553L
(http://www.freescale.com/files/sensors/doc/ref_manual/MMA9553LSWRM.pdf)
that computes the number of calories based on weight and step rate.

Introduce a new channel type ENERGY to export these values.

Signed-off-by: Irina Tirdea <irina.tirdea@intel.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2015-01-27 18:49:52 +00:00
Lars-Peter Clausen
9d9f780000 iio: as3935: Switch to PM ops
Switch from the legacy suspend/resume callbacks to device pm ops.

Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2015-01-27 18:49:52 +00:00
Kevin Tsai
b84894c7f0 iio: Added Capella cm3232 ambient light sensor driver.
CM3232 is an advanced ambient light sensor with I2C protocol interface.
The I2C slave address is internally hardwired as 0x10 (7-bit).  Writing
to configure register is byte mode, but reading ALS register requests to
use word mode for 16-bit resolution.

Signed-off-by: Kevin Tsai <ktsai@capellamicro.com>
Signed-off-by: Jonathan Cameron <jic23@kernel.org>
2015-01-27 18:49:48 +00:00
Linus Torvalds
7da323bb45 Two powerpc fixes.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUxx7MAAoJEFHr6jzI4aWAqe0QAIGGb2mtU1gON4XtWIlYPzSu
 TZDGAK6pCeCr92tH5H3HXy7hOEbZOPQGJCqvOHMK/kcJtlkXSrW1ERDPryqEv9Xq
 V+PJMY5Tre1ga1xttyk3ny4zKmAy4UcLm6Wepi5054kB0Svo7/s2IKECwsInY/D3
 yYxSW4XUZXvCYqdZUqdQbCSgocWOfFJbPqt4kf2IiqjCPlWU1GGjpMpmqXFhTh4Y
 wuU0FtcC7db+wCvjaXs/dbCHMZqWqsQ+WCo9kz2+fLtRbthXSk0A9V96jLzah32/
 yQHqyH2+/6ZklxApjgvuQ4ZhZogU2U2PlFLfpJqiBhy+5WnkBpZtJ1lIj9hGlyC4
 pvKjrHTp0Q8+gZ8ZxuEuiKV1L+01kWbtQwg4Z5HIuulz7DfiSGatSez6CuwIeV49
 A5dQmse0bK6L4XWlB+RKyLdnj+HSPVFIcLlTPMSV/UlDp7IySphR+zp28ykyWv0C
 yGa9JUeD7hvM3Oezo88QoS4P5rk/KmQjPMhYz+ab8/eX3RCtBA1jb/KrdLm2b4tM
 sVJyuiyalL35IoOZlAh8rrKHfu1ZgXyYkJgMdccAy2yQZghmK4H8o8gdf9YWGNNq
 vEZHk+2gKI1T1o5uqvHMmkw0IWV4pE9jm3Jyo2W/pZozxR3oswOtUebCXbK+mLqy
 81GwzBWwALxbRM5HGtIr
 =cDwY
 -----END PGP SIGNATURE-----

Merge tag 'powerpc-3.19-5' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux

Pull powerpc fixes from Michael Ellerman:
 "Two powerpc fixes"

* tag 'powerpc-3.19-5' of git://git.kernel.org/pub/scm/linux/kernel/git/mpe/linux:
  powerpc/powernv: Restore LPCR with LPCR_PECE1 cleared
  powerpc/xmon: Fix another endiannes issue in RTAS call from xmon
2015-01-27 10:04:38 -08:00
Linus Torvalds
41592e2fb5 SCSI was using module_refcount() to figure out when the module was
unloading: this broke with new atomic refcounting.  The code is still
 suspicious, but this solves the WARN_ON().
 
 Thanks,
 Rusty.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUxuOxAAoJENkgDmzRrbjxtGIP/im0s3L+wM28NdQ5zFOiIpwX
 0N4y4U6Aa+rrLs27jDZtXW4ss+fr/V7pUSD1uwTrTHl9X4a3M+DLpEME5Rq40TXG
 MYHihlQo8PM/yCuTMFR7esF20/q9CIksuVA3GkjYqwBW+ks097+t60Yn7YSfX22U
 HzSiR3Pp6yPjMoZWROP576rc9VtOM6tScKU1rzwe8Bo7ayzNADmTFJR4UpQuiQhU
 NwHn7Lih6EGsVTtaX3KS91dA7v5Un/S4jskqAkkwOW3ipgf38LLfjETueHvDWpda
 szVFoMMMkqDwse2MyluiLk/80Cpl528GO24D0MMbQoPfsUi7OgxQN6t1QviRxeut
 pH1VyK4VrRDqhpGB+5l7PQUOk58dL4SjmIVO/G9wxMgKzw2giONJdt/zHBXMr5/l
 6RYINwHEQalMoG3X+kgYKa5E1WPXeJsE4xQTBIQRsaHO+9lk95BbNUVfUgvygUPV
 TTaymhHhEYOsntiMHPkTI05FkK79khs/qX7lU1MVtZ9x7UaYXs3ziY7z+D5fRKf1
 WgoYemWBeFZznsceacNSZGjFsaMJr6gsZ/rVuPSbytXDXSOrQsJxiENph7CnHbRk
 4UJffEomjdQ93CNGBI2hCYlr4Gf5DflbwHjJbT+YXcqumkXJq4+ktSFp5aCH+9q8
 901XYQ7QIJ4roIOzODUG
 =JI7o
 -----END PGP SIGNATURE-----

Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux

Pull one more module fix from Rusty Russell:
 "SCSI was using module_refcount() to figure out when the module was
  unloading: this broke with new atomic refcounting.  The code is still
  suspicious, but this solves the WARN_ON()"

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rusty/linux:
  scsi: always increment reference count
2015-01-27 09:02:09 -08:00
Govindarajulu Varadarajan
24e579c889 bnx2x: fix napi poll return value for repoll
With the commit d75b1ade56 ("net: less interrupt masking in NAPI") napi
repoll is done only when work_done == budget. When in busy_poll is we return 0
in napi_poll. We should return budget.

Signed-off-by: Govindarajulu Varadarajan <_govind@gmx.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-27 00:29:29 -08:00
David S. Miller
bf693f7beb Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec
Steffen Klassert says:

====================
ipsec 2015-01-26

Just two small fixes for _decode_session6() where we
might decode to wrong header information in some rare
situations.

Please pull or let me know if there are problems.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-27 00:28:38 -08:00
Hannes Frederic Sowa
6e9e16e614 ipv6: replacing a rt6_info needs to purge possible propagated rt6_infos too
Lubomir Rintel reported that during replacing a route the interface
reference counter isn't correctly decremented.

To quote bug <https://bugzilla.kernel.org/show_bug.cgi?id=91941>:
| [root@rhel7-5 lkundrak]# sh -x lal
| + ip link add dev0 type dummy
| + ip link set dev0 up
| + ip link add dev1 type dummy
| + ip link set dev1 up
| + ip addr add 2001:db8:8086::2/64 dev dev0
| + ip route add 2001:db8:8086::/48 dev dev0 proto static metric 20
| + ip route add 2001:db8:8088::/48 dev dev1 proto static metric 10
| + ip route replace 2001:db8:8086::/48 dev dev1 proto static metric 20
| + ip link del dev0 type dummy
| Message from syslogd@rhel7-5 at Jan 23 10:54:41 ...
|  kernel:unregister_netdevice: waiting for dev0 to become free. Usage count = 2
|
| Message from syslogd@rhel7-5 at Jan 23 10:54:51 ...
|  kernel:unregister_netdevice: waiting for dev0 to become free. Usage count = 2

During replacement of a rt6_info we must walk all parent nodes and check
if the to be replaced rt6_info got propagated. If so, replace it with
an alive one.

Fixes: 4a287eba2d ("IPv6 routing, NLM_F_* flag support: REPLACE and EXCL flags support, warn about missing CREATE flag")
Reported-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Tested-by: Lubomir Rintel <lkundrak@v3.sk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-27 00:22:14 -08:00
David S. Miller
225776098b Merge branch 'sh_eth'
Ben Hutchings says:

====================
Fixes for sh_eth #3

I'm continuing review and testing of Ethernet support on the R-Car H2
chip.  This series fixes the last of the more serious issues I've found.

These are not tested on any of the other supported chips.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-27 00:18:57 -08:00
Ben Hutchings
52b9fa3696 sh_eth: Fix DMA-API usage for RX buffers
- Use the return value of dma_map_single(), rather than calling
  virt_to_page() separately
- Check for mapping failue
- Call dma_unmap_single() rather than dma_sync_single_for_cpu()

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-27 00:18:54 -08:00
Ben Hutchings
aa3933b873 sh_eth: Check for DMA mapping errors on transmit
dma_map_single() may fail if an IOMMU or swiotlb is in use, so
we need to check for this.

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-27 00:18:53 -08:00
Ben Hutchings
740c7f31c0 sh_eth: Ensure DMA engines are stopped before freeing buffers
Currently we try to clear EDRRR and EDTRR and immediately continue to
free buffers.  This is unsafe because:

- In general, register writes are not serialised with DMA, so we still
  have to wait for DMA to complete somehow
- The R8A7790 (R-Car H2) manual states that the TX running flag cannot
  be cleared by writing to EDTRR
- The same manual states that clearing the RX running flag only stops
  RX DMA at the next packet boundary

I applied this patch to the driver to detect DMA writes to freed
buffers:

> --- a/drivers/net/ethernet/renesas/sh_eth.c
> +++ b/drivers/net/ethernet/renesas/sh_eth.c
> @@ -1098,7 +1098,14 @@ static void sh_eth_ring_free(struct net_device *ndev)
>  	/* Free Rx skb ringbuffer */
>  	if (mdp->rx_skbuff) {
>  		for (i = 0; i < mdp->num_rx_ring; i++)
> +			memcpy(mdp->rx_skbuff[i]->data,
> +			       "Hello, world", 12);
> +		msleep(100);
> +		for (i = 0; i < mdp->num_rx_ring; i++) {
> +			WARN_ON(memcmp(mdp->rx_skbuff[i]->data,
> +				       "Hello, world", 12));
>  			dev_kfree_skb(mdp->rx_skbuff[i]);
> +		}
>  	}
>  	kfree(mdp->rx_skbuff);
>  	mdp->rx_skbuff = NULL;

then ran the loop:

    while ethtool -G eth0 rx 128 ; ethtool -G eth0 rx 64; do echo -n .; done

and 'ping -f' toward the sh_eth port from another machine.  The
warning fired several times a minute.

To fix these issues:

- Deactivate all TX descriptors rather than writing to EDTRR
- As there seems to be no way of telling when RX DMA is stopped,
  perform a soft reset to ensure that both DMA enginess are stopped
- To reduce the possibility of the reset truncating a transmitted
  frame, disable egress and wait a reasonable time to reach a
  packet boundary before resetting
- Update statistics before resetting

(The 'reasonable time' does not allow for CS/CD in half-duplex
mode, but half-duplex no longer seems reasonable!)

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-27 00:18:53 -08:00
Ben Hutchings
dc1d0e6d55 sh_eth: Remove RX overflow log messages
If RX traffic is overflowing the FIFO or DMA ring, logging every time
this happens just makes things worse.  These errors are visible in the
statistics anyway.

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-27 00:18:53 -08:00
David S. Miller
8d8d67f140 linux-can-fixes-for-3.19-20150127
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJUx0SsAAoJECte4hHFiupUy9wP/3YkYTtcFcyZ4xbv3v8q+AZX
 GklmuK8aSmyy6Rwq/ZWtE8g9FCnedBy5D5ws76BgJjwmuAinsfjA893IYfPD0oTV
 sR6QKkA9QP3CgAwLfkH4+Zkd/dV4ltwZwTenwTPUXLZ/6qxfWjwvGwgXPoaZtChO
 R3Sqf0l4h7hmVu2/xuUNAycSysQYqCkbHVD3q1bEyd6H3jvFze/YixRqOaiCXwNh
 nI0H7lrdAAnYKfmWfKI6SaWtfxfyejExdMfDGwbe6FWPX6YNWI/4RB+vJwVLELuy
 kjJBZEFEVJWNsrwXOU/EqIyajXrSIt6asLy0wNaME99QzSAyV857PY8ZLuhEwcWP
 bmYrIPRvFKnG+STcIhZC+xOGEPVTe2Mh4y+JLgTQ0JWFR8+8GWdBRI1Oj1BYblGh
 CUMIeSs1KeQ0HHBAD/frCg2FxPzE/cZvqgznr8neC6o7fkrw0HOq9zn8ovC1vsYk
 lky0tNDO3ZTdagghGzr1Wfcs+TAyI4qrMWTI7cbuyZ+o/icPhR3WIkA3RFR0imBb
 yEB32HUN06YZnvQs8DsRIh4EhJe2f/ZjSETl5uxhI/bgaBYGzplSP0S95Q8tblWR
 6zpJyBTEkoaFZXLD0MPmAi7rp3EcpK3orjI5g9CgOoYK09AvIPcH3wRffvkht1/E
 WgmUt4gecjxWfukFU408
 =S/gP
 -----END PGP SIGNATURE-----

Merge tag 'linux-can-fixes-for-3.19-20150127' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
pull-request: can 2015-01-27

this is another pull request for net/master which consists of 4 patches.

All 4 patches are contributed by Ahmed S. Darwish, he fixes more problems in
the kvaser_usb driver.

David, please merge net/master to net-next/master, as we have more kvaser_usb
patches in the queue, that target net-next.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-27 00:13:05 -08:00
subashab@codeaurora.org
fc752f1f43 ping: Fix race in free in receive path
An exception is seen in ICMP ping receive path where the skb
destructor sock_rfree() tries to access a freed socket. This happens
because ping_rcv() releases socket reference with sock_put() and this
internally frees up the socket. Later icmp_rcv() will try to free the
skb and as part of this, skb destructor is called and which leads
to a kernel panic as the socket is freed already in ping_rcv().

-->|exception
-007|sk_mem_uncharge
-007|sock_rfree
-008|skb_release_head_state
-009|skb_release_all
-009|__kfree_skb
-010|kfree_skb
-011|icmp_rcv
-012|ip_local_deliver_finish

Fix this incorrect free by cloning this skb and processing this cloned
skb instead.

This patch was suggested by Eric Dumazet

Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-27 00:04:53 -08:00
Herbert Xu
86f3cddbc3 udp_diag: Fix socket skipping within chain
While working on rhashtable walking I noticed that the UDP diag
dumping code is buggy.  In particular, the socket skipping within
a chain never happens, even though we record the number of sockets
that should be skipped.

As this code was supposedly copied from TCP, this patch does what
TCP does and resets num before we walk a chain.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-27 00:02:41 -08:00
Ahmed S. Darwish
e638642b08 can: kvaser_usb: Fix state handling upon BUS_ERROR events
While being in an ERROR_WARNING state, and receiving further
bus error events with error counters still in the ERROR_WARNING
range of 97-127 inclusive, the state handling code erroneously
reverts back to ERROR_ACTIVE.

Per the CAN standard, only revert to ERROR_ACTIVE when the
error counters are less than 96.

Moreover, in certain Kvaser models, the BUS_ERROR flag is
always set along with undefined bits in the M16C status
register. Thus use bitwise operators instead of full equality
for checking that register against bus errors.

Signed-off-by: Ahmed S. Darwish <ahmed.darwish@valeo.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2015-01-27 08:55:09 +01:00
Ahmed S. Darwish
14c10c2a1d can: kvaser_usb: Retry the first bulk transfer on -ETIMEDOUT
On some x86 laptops, plugging a Kvaser device again after an
unplug makes the firmware always ignore the very first command.
For such a case, provide some room for retries instead of
completely exiting the driver init code.

Signed-off-by: Ahmed S. Darwish <ahmed.darwish@valeo.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2015-01-27 08:55:09 +01:00
Ahmed S. Darwish
3803fa6977 can: kvaser_usb: Send correct context to URB completion
Send expected argument to the URB completion hander: a CAN
netdevice instead of the network interface private context
`kvaser_usb_net_priv'.

This was discovered by having some garbage in the kernel
log in place of the netdevice names: can0 and can1.

Signed-off-by: Ahmed S. Darwish <ahmed.darwish@valeo.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2015-01-27 08:55:08 +01:00
Ahmed S. Darwish
ded5006667 can: kvaser_usb: Do not sleep in atomic context
Upon receiving a hardware event with the BUS_RESET flag set,
the driver kills all of its anchored URBs and resets all of
its transmit URB contexts.

Unfortunately it does so under the context of URB completion
handler `kvaser_usb_read_bulk_callback()', which is often
called in an atomic context.

While the device is flooded with many received error packets,
usb_kill_urb() typically sleeps/reschedules till the transfer
request of each killed URB in question completes, leading to
the sleep in atomic bug. [3]

In v2 submission of the original driver patch [1], it was
stated that the URBs kill and tx contexts reset was needed
since we don't receive any tx acknowledgments later and thus
such resources will be locked down forever. Fortunately this
is no longer needed since an earlier bugfix in this patch
series is now applied: all tx URB contexts are reset upon CAN
channel close. [2]

Moreover, a BUS_RESET is now treated _exactly_ like a BUS_OFF
event, which is the recommended handling method advised by
the device manufacturer.

[1] http://article.gmane.org/gmane.linux.network/239442
    http://www.webcitation.org/6Vr2yagAQ

[2] can: kvaser_usb: Reset all URB tx contexts upon channel close
    889b77f7fd

[3] Stacktrace:

 <IRQ>  [<ffffffff8158de87>] dump_stack+0x45/0x57
 [<ffffffff8158b60c>] __schedule_bug+0x41/0x4f
 [<ffffffff815904b1>] __schedule+0x5f1/0x700
 [<ffffffff8159360a>] ? _raw_spin_unlock_irqrestore+0xa/0x10
 [<ffffffff81590684>] schedule+0x24/0x70
 [<ffffffff8147d0a5>] usb_kill_urb+0x65/0xa0
 [<ffffffff81077970>] ? prepare_to_wait_event+0x110/0x110
 [<ffffffff8147d7d8>] usb_kill_anchored_urbs+0x48/0x80
 [<ffffffffa01f4028>] kvaser_usb_unlink_tx_urbs+0x18/0x50 [kvaser_usb]
 [<ffffffffa01f45d0>] kvaser_usb_rx_error+0xc0/0x400 [kvaser_usb]
 [<ffffffff8108b14a>] ? vprintk_default+0x1a/0x20
 [<ffffffffa01f5241>] kvaser_usb_read_bulk_callback+0x4c1/0x5f0 [kvaser_usb]
 [<ffffffff8147a73e>] __usb_hcd_giveback_urb+0x5e/0xc0
 [<ffffffff8147a8a1>] usb_hcd_giveback_urb+0x41/0x110
 [<ffffffffa0008748>] finish_urb+0x98/0x180 [ohci_hcd]
 [<ffffffff810cd1a7>] ? acct_account_cputime+0x17/0x20
 [<ffffffff81069f65>] ? local_clock+0x15/0x30
 [<ffffffffa000a36b>] ohci_work+0x1fb/0x5a0 [ohci_hcd]
 [<ffffffff814fbb31>] ? process_backlog+0xb1/0x130
 [<ffffffffa000cd5b>] ohci_irq+0xeb/0x270 [ohci_hcd]
 [<ffffffff81479fc1>] usb_hcd_irq+0x21/0x30
 [<ffffffff8108bfd3>] handle_irq_event_percpu+0x43/0x120
 [<ffffffff8108c0ed>] handle_irq_event+0x3d/0x60
 [<ffffffff8108ec84>] handle_fasteoi_irq+0x74/0x110
 [<ffffffff81004dfd>] handle_irq+0x1d/0x30
 [<ffffffff81004727>] do_IRQ+0x57/0x100
 [<ffffffff8159482a>] common_interrupt+0x6a/0x6a

Signed-off-by: Ahmed S. Darwish <ahmed.darwish@valeo.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2015-01-27 08:55:08 +01:00
Olof Johansson
c6e3324e3b Allwinner fixes for 3.19
A few minor fixes for the 3.19 kernel:
   - The 8250 uart driver now respects the aliases, which pointed out that we
     were using them wrong. Fixed them.
   - The simplefb pipeline that was used on the A10 caused flickering and
     tearing, and rendered it pretty much useless. Added a new simplefb node
     with another pipeline that removes this issue. Note that we need to keep
     the old node because u-boot 2015.01 uses it.
   - Added a fix for the USB phy node on sun4i/sun5i
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUxSO6AAoJEBx+YmzsjxAgXE0P/0ThQfyiIrgBnGKhqi+/mvS9
 IVebkyic34wsSud30b7jizfFHDkGMd0T2LVvLgXyx6BIPyD4vJ0ivhwC1rS+TCPv
 ZK+lQJgd63I35GiTdJNpEe6QJWd25lWfNSsfhprXl2tJ+UvkkRlTN3OaLSVUzb4r
 RsKQJV2ZlCnF1r8K4WDfvEa+vUgH9tChfdid3bUacRh2s+vZoxgJY50OO+g5RQuN
 BVu3zhV1C4Lmgr642EWwITvtLX+la56wMgvYfqWrK5eei356Y2BwTZuFAlj5w+3X
 HyssS4t5/kM0yubUS82bXv5caQefVpaVXKVitUDJygsyOYnQ9sXeTkfVTIaU0LGL
 GS9lKGbaAM04L69yRnwNhBztpHbAllOsOGVauIBEFweMMvclJwdmRvkd8suSwB5E
 AP54v2stJrnyNmp8AYSehQmRYOubKucZMqz8oOv15J207na7wFMpcvqPO5u3DqGM
 Hi/cHS6kejlLPoz5dff732KhRKQs6ZNK9q3gagZEKQHnJ75cKDLmZB/Zkj8fChXL
 RsSEphU3XV092CxUrdmzbcR2NPnvN8gVIXWY4BPxGsbdi/heY+MyxAO5zBHMdUIt
 v/CoJRDtsWug8zUqylFHY8xJuzK0uNgXiocnCpuEgwbooOFAEcUBetEiUgOJ7XtT
 j3HSY2p1tridaGigU/Hp
 =JLlc
 -----END PGP SIGNATURE-----

Merge tag 'sunxi-fixes-for-3.19' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux into fixes

Merge "Allwinner fixes for 3.19" from Maxime Ripard:

Allwinner fixes for 3.19

A few minor fixes for the 3.19 kernel:
  - The 8250 uart driver now respects the aliases, which pointed out that we
    were using them wrong. Fixed them.
  - The simplefb pipeline that was used on the A10 caused flickering and
    tearing, and rendered it pretty much useless. Added a new simplefb node
    with another pipeline that removes this issue. Note that we need to keep
    the old node because u-boot 2015.01 uses it.
  - Added a fix for the USB phy node on sun4i/sun5i

* tag 'sunxi-fixes-for-3.19' of https://git.kernel.org/pub/scm/linux/kernel/git/mripard/linux:
  ARM: sunxi: dt: Fix aliases
  ARM: dts: sun4i: Add simplefb node with de_fe0-de_be0-lcd0-hdmi pipeline
  ARM: dts: sun6i: ippo-q8h-v5: Fix serial0 alias
  ARM: dts: sunxi: Fix usb-phy support for sun4i/sun5i

Signed-off-by: Olof Johansson <olof@lixom.net>
2015-01-26 20:19:27 -08:00
Greg Kroah-Hartman
54eb4cd465 usb: fixes for v3.19-rc6
Just two fixes pending. A fix USB PHY for non-OF case and
 a fix for dwc2 running on samsung SoC.
 
 Signed-off-by: Felipe Balbi <balbi@ti.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJUwVBYAAoJEIaOsuA1yqREZwwP/0/uE+dullOFcv5Yg4624INb
 2GnQznXmp6NLa+y7262akEAaIYprnVMU3Dpo66+rrl01S71cAtYYC2VBct8f2fvk
 o6ufSOWgsvj7D+6HUFivw9DYFx/Kk5RHG+pz69/TiLmbZBGU2R0+6QZdrcz7hD15
 5oykD793DkLP5rRC71vQiGhMIKOEWvGlD4sHtJd9SazE96Txi5f9a09mFA1ORLbi
 9eEcPEjEc52rHeQToKYU+xi5Sf3ifql1gITNeQiWTu7+CIMFpx9mymo2S6yaSp+d
 GhzUtiX5w9IlPZ4fS235KcsILdiycOIFfO0Z7IHRYUq9Vms+Dwu6TO2aHG7ap1xF
 st3jA0svlZwEHIoGcp7LYaNIadSsrluYeXsY6jOfpzfwwaa51XIJbGFdGkVcMTf2
 pZd/+Q+3UxAhPxk1/Btyd+2KMhhYGd8b8ol1BZDos+MzBCO3JZcakGA0wH2UuNcU
 IXM6TbUI9waoZD9Jp5fMYC64xdWvluPis8ag/ay1u+tsAPumdQXb1fiNeJvjDvN+
 x7qSv/QQfq3VEn0K3TROZM+7qEu9/LU7PNS+Q+aE5FxNE7IZ/WtJHUyOVsxybI4P
 ChSr+Jqh9Q10x+s+ChwjLOQSNrQxnX8Dq4GnglUesf8xhZF84jtghlCLaAla+3yf
 LzMKhudkzP1xjDDnfl/R
 =QdcU
 -----END PGP SIGNATURE-----

Merge tag 'fixes-for-v3.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/balbi/usb into usb-linus

Felipe writes:

usb: fixes for v3.19-rc6

Just two fixes pending. A fix USB PHY for non-OF case and
a fix for dwc2 running on samsung SoC.

Signed-off-by: Felipe Balbi <balbi@ti.com>
2015-01-26 19:13:41 -08:00
David S. Miller
7d63585bf0 Another set of last-minute fixes:
* fix station double-removal when suspending while associating
  * fix the HT (802.11n) header length calculation
  * fix the CCK radiotap flag used for monitoring, a pretty
    old regression but a simple one-liner
  * fix per-station group-key handling
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCAAGBQJUwmkTAAoJEDBSmw7B7bqr3X0P/3Y/2UnQSBSi2LnqmsuV8igR
 noAwaPuCf2ASs25v9nQv64JM1qC0kiemYesi3fFWHiqPhoxx9WrMSvjXdarynrQN
 LwBG74tcQVEeW70w+36yeKCS+wMU35eTzDDxdnYOfJeNOhW2rQE7WVT2drkc6lVL
 hvGRhqlBx0mVLQ3VCW5c1kmMN/VAttZKx5WWWurmA8OSQzcHJGZW6ZTuqwpDx4RT
 iqwi5uBtMkqTQV+22Zb4xI+YxLGwcGiYjy15KksPsrSZZeS5pJzeyovrDhACBVpE
 aVj3K+OAGVmXCN7HVpQ3tTqCaQea5o+EDqtnT/IQrjnmw6p4mC3co6ShiVn+DkTX
 6nv/ka92k9q1LMGIzl+lje2cNmaerVrDa84gUqnHXbTr80+ugKu4NpZowQgdW4yG
 Qu4kQALkTRhUoNf+RUzXKcFqAW2qLKf83qLcrhbQWkSrY0hzLVWKI/1/FAkCyo6I
 zKhsB44mHMMaKGVq5qsHTD0E89PtiJuizDLiU04uJExYJCi1FCh9NDlc+HaVlTnt
 5LHFbrsPDuAUKoKSiJmJUIyueL+Of5N34+epuLRZb55aE2AQhApg6Nxd+FMuro1m
 0aeHEREEO04QZ7IUrYgBA4G7L1dsZJDD8auU6Y4V3chAg6ArbswbtzAv8ON1tAk+
 pr0kThACKqkfg2tN5fny
 =DhIp
 -----END PGP SIGNATURE-----

Merge tag 'mac80211-for-davem-2015-01-23' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211

Another set of last-minute fixes:
 * fix station double-removal when suspending while associating
 * fix the HT (802.11n) header length calculation
 * fix the CCK radiotap flag used for monitoring, a pretty
   old regression but a simple one-liner
 * fix per-station group-key handling

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 17:32:24 -08:00
Hannes Frederic Sowa
df4d92549f ipv4: try to cache dst_entries which would cause a redirect
Not caching dst_entries which cause redirects could be exploited by hosts
on the same subnet, causing a severe DoS attack. This effect aggravated
since commit f886497212 ("ipv4: fix dst race in sk_dst_get()").

Lookups causing redirects will be allocated with DST_NOCACHE set which
will force dst_release to free them via RCU.  Unfortunately waiting for
RCU grace period just takes too long, we can end up with >1M dst_entries
waiting to be released and the system will run OOM. rcuos threads cannot
catch up under high softirq load.

Attaching the flag to emit a redirect later on to the specific skb allows
us to cache those dst_entries thus reducing the pressure on allocation
and deallocation.

This issue was discovered by Marcelo Leitner.

Cc: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Marcelo Leitner <mleitner@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 17:28:27 -08:00
David S. Miller
412d2907c4 Merge branch 'bpf'
Alexei Starovoitov says:

====================
bpf: fix two bugs

Michael Holzheu caught two issues (in bpf syscall and in the test).
Fix them. Details in corresponding patches.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 17:20:48 -08:00
Alexei Starovoitov
ba1a68bf13 samples: bpf: relax test_maps check
hash map is unordered, so get_next_key() iterator shouldn't
rely on particular order of elements. So relax this test.

Fixes: ffb65f27a1 ("bpf: add a testsuite for eBPF maps")
Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 17:20:40 -08:00
Alexei Starovoitov
8ebe667c41 bpf: rcu lock must not be held when calling copy_to_user()
BUG: sleeping function called from invalid context at mm/memory.c:3732
in_atomic(): 0, irqs_disabled(): 0, pid: 671, name: test_maps
1 lock held by test_maps/671:
 #0:  (rcu_read_lock){......}, at: [<0000000000264190>] map_lookup_elem+0xe8/0x260
Call Trace:
([<0000000000115b7e>] show_trace+0x12e/0x150)
 [<0000000000115c40>] show_stack+0xa0/0x100
 [<00000000009b163c>] dump_stack+0x74/0xc8
 [<000000000017424a>] ___might_sleep+0x23a/0x248
 [<00000000002b58e8>] might_fault+0x70/0xe8
 [<0000000000264230>] map_lookup_elem+0x188/0x260
 [<0000000000264716>] SyS_bpf+0x20e/0x840

Fix it by allocating temporary buffer to store map element value.

Fixes: db20fd2b01 ("bpf: add lookup/update/delete/iterate methods to BPF maps")
Reported-by: Michael Holzheu <holzheu@linux.vnet.ibm.com>
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 17:20:40 -08:00
Daniel Borkmann
600ddd6825 net: sctp: fix slab corruption from use after free on INIT collisions
When hitting an INIT collision case during the 4WHS with AUTH enabled, as
already described in detail in commit 1be9a950c6 ("net: sctp: inherit
auth_capable on INIT collisions"), it can happen that we occasionally
still remotely trigger the following panic on server side which seems to
have been uncovered after the fix from commit 1be9a950c6 ...

[  533.876389] BUG: unable to handle kernel paging request at 00000000ffffffff
[  533.913657] IP: [<ffffffff811ac385>] __kmalloc+0x95/0x230
[  533.940559] PGD 5030f2067 PUD 0
[  533.957104] Oops: 0000 [#1] SMP
[  533.974283] Modules linked in: sctp mlx4_en [...]
[  534.939704] Call Trace:
[  534.951833]  [<ffffffff81294e30>] ? crypto_init_shash_ops+0x60/0xf0
[  534.984213]  [<ffffffff81294e30>] crypto_init_shash_ops+0x60/0xf0
[  535.015025]  [<ffffffff8128c8ed>] __crypto_alloc_tfm+0x6d/0x170
[  535.045661]  [<ffffffff8128d12c>] crypto_alloc_base+0x4c/0xb0
[  535.074593]  [<ffffffff8160bd42>] ? _raw_spin_lock_bh+0x12/0x50
[  535.105239]  [<ffffffffa0418c11>] sctp_inet_listen+0x161/0x1e0 [sctp]
[  535.138606]  [<ffffffff814e43bd>] SyS_listen+0x9d/0xb0
[  535.166848]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b

... or depending on the the application, for example this one:

[ 1370.026490] BUG: unable to handle kernel paging request at 00000000ffffffff
[ 1370.026506] IP: [<ffffffff811ab455>] kmem_cache_alloc+0x75/0x1d0
[ 1370.054568] PGD 633c94067 PUD 0
[ 1370.070446] Oops: 0000 [#1] SMP
[ 1370.085010] Modules linked in: sctp kvm_amd kvm [...]
[ 1370.963431] Call Trace:
[ 1370.974632]  [<ffffffff8120f7cf>] ? SyS_epoll_ctl+0x53f/0x960
[ 1371.000863]  [<ffffffff8120f7cf>] SyS_epoll_ctl+0x53f/0x960
[ 1371.027154]  [<ffffffff812100d3>] ? anon_inode_getfile+0xd3/0x170
[ 1371.054679]  [<ffffffff811e3d67>] ? __alloc_fd+0xa7/0x130
[ 1371.080183]  [<ffffffff816149a9>] system_call_fastpath+0x16/0x1b

With slab debugging enabled, we can see that the poison has been overwritten:

[  669.826368] BUG kmalloc-128 (Tainted: G        W     ): Poison overwritten
[  669.826385] INFO: 0xffff880228b32e50-0xffff880228b32e50. First byte 0x6a instead of 0x6b
[  669.826414] INFO: Allocated in sctp_auth_create_key+0x23/0x50 [sctp] age=3 cpu=0 pid=18494
[  669.826424]  __slab_alloc+0x4bf/0x566
[  669.826433]  __kmalloc+0x280/0x310
[  669.826453]  sctp_auth_create_key+0x23/0x50 [sctp]
[  669.826471]  sctp_auth_asoc_create_secret+0xcb/0x1e0 [sctp]
[  669.826488]  sctp_auth_asoc_init_active_key+0x68/0xa0 [sctp]
[  669.826505]  sctp_do_sm+0x29d/0x17c0 [sctp] [...]
[  669.826629] INFO: Freed in kzfree+0x31/0x40 age=1 cpu=0 pid=18494
[  669.826635]  __slab_free+0x39/0x2a8
[  669.826643]  kfree+0x1d6/0x230
[  669.826650]  kzfree+0x31/0x40
[  669.826666]  sctp_auth_key_put+0x19/0x20 [sctp]
[  669.826681]  sctp_assoc_update+0x1ee/0x2d0 [sctp]
[  669.826695]  sctp_do_sm+0x674/0x17c0 [sctp]

Since this only triggers in some collision-cases with AUTH, the problem at
heart is that sctp_auth_key_put() on asoc->asoc_shared_key is called twice
when having refcnt 1, once directly in sctp_assoc_update() and yet again
from within sctp_auth_asoc_init_active_key() via sctp_assoc_update() on
the already kzfree'd memory, which is also consistent with the observation
of the poison decrease from 0x6b to 0x6a (note: the overwrite is detected
at a later point in time when poison is checked on new allocation).

Reference counting of auth keys revisited:

Shared keys for AUTH chunks are being stored in endpoints and associations
in endpoint_shared_keys list. On endpoint creation, a null key is being
added; on association creation, all endpoint shared keys are being cached
and thus cloned over to the association. struct sctp_shared_key only holds
a pointer to the actual key bytes, that is, struct sctp_auth_bytes which
keeps track of users internally through refcounting. Naturally, on assoc
or enpoint destruction, sctp_shared_key are being destroyed directly and
the reference on sctp_auth_bytes dropped.

User space can add keys to either list via setsockopt(2) through struct
sctp_authkey and by passing that to sctp_auth_set_key() which replaces or
adds a new auth key. There, sctp_auth_create_key() creates a new sctp_auth_bytes
with refcount 1 and in case of replacement drops the reference on the old
sctp_auth_bytes. A key can be set active from user space through setsockopt()
on the id via sctp_auth_set_active_key(), which iterates through either
endpoint_shared_keys and in case of an assoc, invokes (one of various places)
sctp_auth_asoc_init_active_key().

sctp_auth_asoc_init_active_key() computes the actual secret from local's
and peer's random, hmac and shared key parameters and returns a new key
directly as sctp_auth_bytes, that is asoc->asoc_shared_key, plus drops
the reference if there was a previous one. The secret, which where we
eventually double drop the ref comes from sctp_auth_asoc_set_secret() with
intitial refcount of 1, which also stays unchanged eventually in
sctp_assoc_update(). This key is later being used for crypto layer to
set the key for the hash in crypto_hash_setkey() from sctp_auth_calculate_hmac().

To close the loop: asoc->asoc_shared_key is freshly allocated secret
material and independant of the sctp_shared_key management keeping track
of only shared keys in endpoints and assocs. Hence, also commit 4184b2a79a
("net: sctp: fix memory leak in auth key management") is independant of
this bug here since it concerns a different layer (though same structures
being used eventually). asoc->asoc_shared_key is reference dropped correctly
on assoc destruction in sctp_association_free() and when active keys are
being replaced in sctp_auth_asoc_init_active_key(), it always has a refcount
of 1. Hence, it's freed prematurely in sctp_assoc_update(). Simple fix is
to remove that sctp_auth_key_put() from there which fixes these panics.

Fixes: 730fc3d05c ("[SCTP]: Implete SCTP-AUTH parameter processing")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Vlad Yasevich <vyasevich@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 17:02:05 -08:00
Linus Torvalds
4adca1cbc4 Merge branch 'akpm' (patches from Andrew Morton)
Merge misc fixes from Andrew Morton:
 "Six fixes"

* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
  drivers/rtc/rtc-s5m.c: terminate s5m_rtc_id array with empty element
  printk: add dummy routine for when CONFIG_PRINTK=n
  mm/vmscan: fix highidx argument type
  memcg: remove extra newlines from memcg oom kill log
  x86, build: replace Perl script with Shell script
  mm: page_alloc: embed OOM killing naturally into allocation slowpath
2015-01-26 16:25:42 -08:00
Ezequiel Garcia
9e911414af net: mv643xx_eth: Fix highmem support in non-TSO egress path
Commit 69ad0dd7af
Author: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
Date:   Mon May 19 13:59:59 2014 -0300

    net: mv643xx_eth: Use dma_map_single() to map the skb fragments

caused a nasty regression by removing the support for highmem skb
fragments. By using page_address() to get the address of a fragment's
page, we are assuming a lowmem page. However, such assumption is incorrect,
as fragments can be in highmem pages, resulting in very nasty issues.

This commit fixes this by using the skb_frag_dma_map() helper,
which takes care of mapping the skb fragment properly. Additionally,
the type of mapping is now tracked, so it can be unmapped using
dma_unmap_page or dma_unmap_single when appropriate.

This commit also fixes the error path in txq_init() to release the
resources properly.

Fixes: 69ad0dd7af ("net: mv643xx_eth: Use dma_map_single() to map the skb fragments")
Reported-by: Russell King <rmk+kernel@arm.linux.org.uk>
Signed-off-by: Ezequiel Garcia <ezequiel.garcia@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 16:14:40 -08:00
David S. Miller
9d08da9630 Merge branch 'sh_eth'
Ben Hutchings says:

====================
Fixes for sh_eth #2

I'm continuing review and testing of Ethernet support on the R-Car H2
chip.  This series fixes more of the issues I've found, but it won't be
the last set.

These are not tested on any of the other supported chips.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 16:13:20 -08:00
Ben Hutchings
283e38db65 sh_eth: Fix serialisation of interrupt disable with interrupt & NAPI handlers
In order to stop the RX path accessing the RX ring while it's being
stopped or resized, we clear the interrupt mask (EESIPR) and then call
free_irq() or synchronise_irq().  This is insufficient because the
interrupt handler or NAPI poller may set EESIPR again after we clear
it.  Also, in sh_eth_set_ringparam() we currently don't disable NAPI
polling at all.

I could easily trigger a crash by running the loop:

   while ethtool -G eth0 rx 128 && ethtool -G eth0 rx 64; do echo -n .; done

and 'ping -f' toward the sh_eth port from another machine.

To fix this:
- Add a software flag (irq_enabled) to signal whether interrupts
  should be enabled
- In the interrupt handler, if the flag is clear then clear EESIPR
  and return
- In the NAPI poller, if the flag is clear then don't set EESIPR
- Set the flag before enabling interrupts in sh_eth_dev_init() and
  sh_eth_set_ringparam()
- Clear the flag and serialise with the interrupt and NAPI
  handlers before clearing EESIPR in sh_eth_close() and
  sh_eth_set_ringparam()

After this, I could run the loop for 100,000 iterations successfully.

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 16:13:15 -08:00
Ben Hutchings
084236d8c5 sh_eth: Fix crash or memory leak when resizing rings on device that is down
If the device is down then no packet buffers should be allocated.
We also must not touch its registers as it may be powered off.

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 16:13:15 -08:00
Ben Hutchings
bd8889163a sh_eth: Detach net device when stopping queue to resize DMA rings
We must only ever stop TX queues when they are full or the net device
is not 'ready' so far as the net core, and specifically the watchdog,
is concerned.  Otherwise, the watchdog may fire *immediately* if no
packets have been added to the queue in the last 5 seconds.

What's more, sh_eth_tx_timeout() will likely crash if called while
we're resizing the TX ring.

I could easily trigger this by running the loop:

   while ethtool -G eth0 rx 128 && ethtool -G eth0 rx 64; do echo -n .; done

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 16:13:15 -08:00
Ben Hutchings
eebfb643c0 sh_eth: Fix padding of short frames on TX
If an skb to be transmitted is shorter than the minimum Ethernet frame
length, we currently set the DMA descriptor length to the minimum but
do not add zero-padding.  This could result in leaking sensitive
data.  We also pass different lengths to dma_map_single() and
dma_unmap_single().

Use skb_padto() to pad properly, before calling dma_map_single().

Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 16:13:15 -08:00
Mugunthan V N
02a54164c5 drivers: net: cpsw: discard dual emac default vlan configuration
In Dual EMAC, the default VLANs are used to segregate Rx packets between
the ports, so adding the same default VLAN to the switch will affect the
normal packet transfers. So returning error on addition of dual EMAC
default VLANs.

Even if EMAC 0 default port VLAN is added to EMAC 1, it will lead to
break dual EMAC port separations.

Fixes: d9ba8f9e62 (driver: net: ethernet: cpsw: dual emac interface implementation)
Cc: <stable@vger.kernel.org> # v3.9+
Reported-by: Felipe Balbi <balbi@ti.com>
Signed-off-by: Mugunthan V N <mugunthanvnm@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 16:05:50 -08:00
Dave Airlie
5159571ceb Merge branch 'drm-fixes-3.19' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
Suspend/resume regression fix for 3.19.

* 'drm-fixes-3.19' of git://people.freedesktop.org/~agd5f/linux:
  drm/radeon: Remove rdev->gart.pages_addr array
  drm/radeon: Restore GART table contents after pinning it in VRAM v3
  drm/radeon: Split off gart_get_page_entry ASIC hook from set_page_entry
2015-01-27 09:56:13 +10:00
David S. Miller
b6663ad702 Merge branch 'cls_bpf'
Daniel Borkmann says:

====================
Two cls_bpf fixes

Found them while doing a review on act_bpf and going over the
cls_bpf code again. Will also address the first issue in act_bpf
as it needs to be fixed there, too.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 15:50:24 -08:00
Daniel Borkmann
3f2ab13594 net: cls_bpf: fix auto generation of per list handles
When creating a bpf classifier in tc with priority collisions and
invoking automatic unique handle assignment, cls_bpf_grab_new_handle()
will return a wrong handle id which in fact is non-unique. Usually
altering of specific filters is being addressed over major id, but
in case of collisions we result in a filter chain, where handle ids
address individual cls_bpf_progs inside the classifier.

Issue is, in cls_bpf_grab_new_handle() we probe for head->hgen handle
in cls_bpf_get() and in case we found a free handle, we're supposed
to use exactly head->hgen. In case of insufficient numbers of handles,
we bail out later as handle id 0 is not allowed.

Fixes: 7d1d65cb84 ("net: sched: cls_bpf: add BPF-based classifier")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Jiri Pirko <jiri@resnulli.us>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 15:50:19 -08:00
Daniel Borkmann
7913ecf69e net: cls_bpf: fix size mismatch on filter preparation
In cls_bpf_modify_existing(), we read out the number of filter blocks,
do some sanity checks, allocate a block on that size, and copy over the
BPF instruction blob from user space, then pass everything through the
classic BPF checker prior to installation of the classifier.

We should reject mismatches here, there are 2 scenarios: the number of
filter blocks could be smaller than the provided instruction blob, so
we do a partial copy of the BPF program, and thus the instructions will
either be rejected from the verifier or a valid BPF program will be run;
in the other case, we'll end up copying more than we're supposed to,
and most likely the trailing garbage will be rejected by the verifier
as well (i.e. we need to fit instruction pattern, ret {A,K} needs to be
last instruction, load/stores must be correct, etc); in case not, we
would leak memory when dumping back instruction patterns. The code should
have only used nla_len() as Dave noted to avoid this from the beginning.
Anyway, lets fix it by rejecting such load attempts.

Fixes: 7d1d65cb84 ("net: sched: cls_bpf: add BPF-based classifier")
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Acked-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 15:50:18 -08:00
Dave Airlie
db9098ba1b Merge tag 'drm-amdkfd-fixes-2015-01-26' of git://people.freedesktop.org/~gabbayo/linux into drm-fixes
A couple of fixes for -rc7 in amdkfd:

- Forgot to free resources when creation of queue has failed
- Initialization of pipelines was incorrect (3 patches)

In addition, The patch "drm/amdkfd: Allow user to limit only queues per device"
is not a fix, but I would like to push it for 3.19 as it changes the ABI
between amdkfd and userspace (by changing the module parameters). I would
prefer *not* to support the two deprecated module parameters if I don't have
too, as amdkfd hasn't been released yet.

* tag 'drm-amdkfd-fixes-2015-01-26' of git://people.freedesktop.org/~gabbayo/linux:
  drm/amdkfd: Fix bug in call to init_pipelines()
  drm/amdkfd: Fix bug in pipelines initialization
  drm/radeon: Don't increment pipe_id in kgd_init_pipeline
  drm/amdkfd: Allow user to limit only queues per device
  drm/amdkfd: PQM handle queue creation fault
2015-01-27 09:48:33 +10:00
Dave Airlie
22cbbceff6 Linux 3.19-rc6
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJUxbzlAAoJEHm+PkMAQRiGtqYIAJ8YlKX9cXKYmXx8/FncINH+
 2erj94KyHG080R1uwSq1+7zXWCZUUlxiJnDnsup5rG0dImcicqgOE48oHax1aN6b
 yHfPONkTjNJ1HYepuGC3YWCG9wIjPZQ5S8KHrwRjyVoE+ddhe9gWgvArA3jl/fW/
 2fYNWekoRoMcRiNb4/w2weyOOBywdSVpmj0WYiwdztysG2ymw5hUXRHJhvSf1AFm
 RQJfUHkhCOYpQGY7XFba/1uGhTJfOgDmYAfspAOLzmrXE/DJcCutsVdBZO+12fAL
 nhGpM/PkRYxMvwzDKIUoG35qsymYOMqo54oXhr0S2JjyXTGdGmB6qHxIfqnV5Tk=
 =O/Lr
 -----END PGP SIGNATURE-----

Merge tag 'v3.19-rc6' into drm-fixes

Linux 3.19-rc6

pull in rc6 as the amdkfd fixes are based on it, and I'd rather
be doing the merges separately
2015-01-27 09:48:08 +10:00
David S. Miller
9e79ce66c6 linux-can-fixes-for-3.19-20150121
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCAAGBQJUwB19AAoJECte4hHFiupUuqAQAJ0S6SpHAKFbsb1c3a4Av6fT
 BlztznoxHPFdRhWg6RG4fnV1HhXWvBWSqsmPKapsfMIIDfonTasGks3ALocCJzYl
 9JvSNrj+VKh9ecE1Qkr53WNmxlqoHHgCioMXrTK5y8fBxqCqsfprDH+Q1U+Eh7sM
 P7JyjwbSj/m2TTZHaBd8lAf4qzm/xHH+56XK2BmSTWN3Fd3tmaGH+wRjF4maeF2F
 jG97x7Ev7vek8vBsCCfkt+mPQ9amu4+ptRfqOn/akQPvGxicfb3HOUglADHt8JaH
 7ISU96q5IGu4VpXJQd3idzJlwANp1kydLf0KLm1vSxlzEp27nQ6ewea3uf5SnJ6m
 uIa3QG4D7KX2qSvrNQ1MBLjDALdJMF0MIooSLMWi094z2C6OZ5A20lCIrGEv2lAo
 YyKUFQObhZzwWgjs3gGanYr4N5pi6vtYqwuYLje1v8XGgBo6rKTA9V7l8MG+2IN3
 JORpQBsCMHb15PrAH3aRBxcU9QpeP7244sWGSIdrSk3tyEr0wSn8v0y/Ef2g5MNv
 LHjupwWBLmgT/zVD3N8s+ZPcZxFdXo7zmXuHAvkAZzLD2RfogRkrlVIcRt/OQfhY
 r8V7F+VM1T6hrtJrzp7MDI/ZzraK5jk9mZHR8exOA1d2UYPiaha8N/athxMD/3TI
 pksebn/jqvJrO46R77mX
 =k63Q
 -----END PGP SIGNATURE-----

Merge tag 'linux-can-fixes-for-3.19-20150121' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
pull-request: can 2015-01-21

this is a pull request for v3.19, net/master, which consists of a single patch.

Viktor Babrian fixes the issue in the c_can dirver, that the CAN interface
might continue to send frames after the interface has been shut down.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2015-01-26 15:24:14 -08:00
Linus Torvalds
c976a67b02 Merge branch 'for-3.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup
Pull cgroup fix from Tejun Heo:
 "The lifetime rules of cgroup hierarchies always have been somewhat
  counter-intuitive and cgroup core tried to enforce that hierarchies
  w/o userland-visible usages must die in finite amount of time so that
  the controllers can be reused for other hierarchies; unfortunately,
  this can't be implemented reasonably for the memory controller - the
  kmemcg part doesn't have any way to forcefully drain the existing
  usages, leading to an interruptible hang if a following mount attempts
  to use the controller in any way.

  So, it seems like we're stuck with "hierarchies live on till they die
  whenever that may be" at least for now.  This pretty much confines
  attaching controllers to hierarchies to before the hierarchies are
  actively used by making dynamic configurations post active usages
  unreliable.  This has never been reliable and should be fine in
  practice given how cgroups are used.

  After the patch, hierarchies aren't killed if it isn't already
  drained.  A following mount attempt of the same mount options will
  reuse the existing hierarchy.  Mount attempts with differing options
  will fail w/ -EBUSY"

* 'for-3.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
  cgroup: prevent mount hang due to memory controller lifetime
2015-01-26 15:17:34 -08:00
Dave Airlie
104b61590d Merge branch 'drm-tda998x-fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm into drm-fixes
3 fixes for the tda998x.

* 'drm-tda998x-fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
  drm/i2c: tda998x: set the CEC I2C address based on the slave I2C address
  drm: tda998x: Fix EDID read timeout on HDMI connect
  drm: tda998x: Protect the page register
2015-01-27 09:12:53 +10:00
Linus Torvalds
abe3b2695d regulator: Fixes for v3.19
One correctness fix here for the s2mps11 driver which would have
 resulted in some of the regulators being completely broken together with
 a fix for locking in regualtor_put() (which is fortunately rarely called
 at all in practical systems).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJUxiDBAAoJECTWi3JdVIfQNgYH/0ziCp+Hgxqi6qbCwJSMtzHN
 m0kei13bC9gCNH6SM7iYg1XoYN+qduYU8JdUHflvpxHmsOOt3PgUsVfAFPkX2xeA
 i9z0mZV47XOnX9eQQ+LweW4qLykhp/mbOxqDwyCix/PqKvPKChE7aJzAMCIn5kUl
 GgBcU2pBFTIDNXxibzuuEtfRUho+ry4w1JARI2r0n9Q5FQULPxOBhtP0RQlGZyW9
 +7tL/PBG4XYWUqOsg0wVHi5TA5kzrehPeW9GJhUIIdV7vcv9ACU6/T+aK9O6vqcv
 IeDM+NfIkHT81eXc8a+Zm6ud8TV585n7s8gQtqrAy25BTlBBfcGeqX3hOjZhAzU=
 =GLc6
 -----END PGP SIGNATURE-----

Merge tag 'regulator-v3.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator

Pull regulator fixes from Mark Brown:
 "One correctness fix here for the s2mps11 driver which would have
  resulted in some of the regulators being completely broken together
  with a fix for locking in regualtor_put() (which is fortunately rarely
  called at all in practical systems)"

* tag 'regulator-v3.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/regulator:
  regulator: s2mps11: Fix wrong calculation of register offset
  regulator: core: fix race condition in regulator_put()
2015-01-26 14:52:08 -08:00
Linus Torvalds
8d6b9327cb spi: Fixes for v3.19
A few driver specific fixes here, some fixes for issues introduced and
 discovered during recent work on the DesignWare driver (which has been
 getting a lot of attention recently) and a couple of other drivers.  All
 serious things for people who run into them.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJUxiKGAAoJECTWi3JdVIfQ3gAH/jkNJzgNOw0yyVNM6darlVjF
 fpDLbXEloryR89lui0FV1KeqNbUmtR1pIQFQnqPOrauBD6ccGxn0fNdF4p84j7wt
 cOiWpLbPJ9bGuxgYX8OQMFlba9Xk6cJbTJdr3j6Ep/CJuHkTsZHD1AYeYtsr/zG9
 bVLrqR/JuIASxkcv0fyZP3UFWJgu7Q5Ar8l4gPp8HwTqojDSs7OaTIPABjhG9INn
 l6AA/YXohTInjBXu7ALQjN0yFjtR2po41ewIo1DVkeOCQkarMSNtCejNEArTsOq2
 +6PiSQp8hewtc/f8SCwg8eQcBDA49TCPrN/flFVe+X5ynQg95YuqnZMo6ocIAac=
 =BqdK
 -----END PGP SIGNATURE-----

Merge tag 'spi-v3.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi

Pull spi fixes from Mark Brown:
 "A few driver specific fixes here, some fixes for issues introduced and
  discovered during recent work on the DesignWare driver (which has been
  getting a lot of attention recently) and a couple of other drivers.
  All serious things for people who run into them"

* tag 'spi-v3.19-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
  spi: dw: amend warning message
  spi: sh-msiof: fix MDR1_FLD_MASK value
  spi: dw-mid: fix FIFO size
  spi: dw: Fix detecting FIFO depth
  spi/pxa2xx: Clear cur_chip pointer before starting next message
2015-01-26 14:51:19 -08:00